Ok found an example for you.
www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
Sadly I cannot provide any links as proof, so I wont argue with you, but I
am sure I have seen someone on this list provide some advanced sql
injection examples that got through
Sadly I cannot provide any links as proof, so I wont argue with you, but I
am sure I have seen someone on this list provide some advanced sql
injection examples that got through cfqueryparam
The only way for this to be possible is to do something with the data
in your SQL after
Anyone who uses a url variable in a sql statement - even with cfqueryparm
- is simply asking for trouble.
On Thu, Mar 7, 2013 at 1:18 PM, Russ Michaels snake.li...@snakepit.netwrote:
Ok found an example for you.
How exactly are we asking for trouble by using URL variables within
CFQUERYPARAMs?
For example, a message board might link to a message topic with
viewTopic.cfm?threadid=5
You can't do form posts for every call to your application, so I'm curious
as to how you propose doing this.
cfset myvar =
At some point, you want to verify that you are passing an actual threadid
(to use your example) and not a sql statement that someone has appended to
the url as threadid. If you simply use the url variable you aren't doing
that. If your cfqueryparm is checking for an integer you would probably
Even if your cfqueryparam is looking for a string (say you're using a
UUID), you're still safe because they're passed in as arguments to a
mnaufactured stored procedure. Ultimately, the db ends up doing something
like this:
declare @p1 nvarchar(4000);
select * from forums where threadid=@p1
Anyone who uses a url variable in a sql statement - even with cfqueryparm
- is simply asking for trouble.
There is nothing inherently unsafe in doing this. The worst that can
occur is an SQL error. The database will not execute the contents of
the variable.
Dave Watts, CTO, Fig Leaf Software
I rarely use url variables, but when I do I always check to make sure it
contains the type of data I am expecting it to contain.
There is no difference between URL, form, cookie or (certain) CGI
variables, really. They're all equally unsafe. Anything that comes
from the browser is unsafe.
And, in this case, having cfqueryparam helps you debug weird errors that
you'd get when a field that is expected to be numeric is blank or not
numeric.
Ie
where myField=#someval#
will result in an unrecognizable syntax error if #someval# is an empty
string, and the line number will be the end
I used cfparam to do that before cfqueryparam existed.
Regards
Russ Michaels
www.michaels.me.uk
www.cfmldeveloper.com - Free CFML hosting for developers
www.cfsearch.com - CF search engine
On Mar 6, 2013 8:37 PM, Rick Root rick.r...@gmail.com wrote:
And, in this case, having cfqueryparam
cfquery name = qGetAllPropertiesAndOpenHouses
datasource=#arguments.real_estate_dsn#
select substring_index(p.mls_number, '_', 1) as p.mls_number,
p.street_number, p.street_name, p.city, p.state,
oh.mls_number, oh.date, oh.start_time, oh.end_time,
Perhaps it's the contents on that variable? Try putting it into a
cfqueryparam.
On Tue, Mar 5, 2013 at 10:47 AM, Rick Faircloth r...@whitestonemedia.comwrote:
cfquery name = qGetAllPropertiesAndOpenHouses
datasource=#arguments.real_estate_dsn#
select substring_index(p.mls_number,
Obvious first question- what is the exact value of
#arguments.listing_office_mls_id#?
When debugging something that I can't figure out from the query, I put the
whole things within a CFOUTPUT so I can see exactly what's being sent to the
DB.
-Original Message-
From:
Thanks for the feedback, John.
I'm not sure what was wrong with that query.
The line throwing the error worked when I had the queries
separated, before I tried a left join.
Separating them again worked after I changed this line:
where substring_index(p.mls_number, '_', 1) = oh.mls_number
Use cfqueryparam to rule out the value of the arguments variable causing
syntax related issues.
When an error tells you the line number and it is in a query, it rarely is
that actual line; it just knows it is in the query somewhere.
On 3/5/13 11:47 AM, Rick Faircloth r...@whitestonemedia.com
Not concerned with the sql syntax as much as I am about not using
cfqueryparam.
Please please please take the time to convert every query you have to use
that.
Based on your cfarguments and db permissions for your dsn, a bad bad user
might be able to delete everything from your database.
Byron
Thanks for the tips and feedback, everyone!
Rick
-Original Message-
From: Byron Mann [mailto:byronos...@gmail.com]
Sent: Tuesday, March 05, 2013 2:05 PM
To: cf-talk
Subject: Re: Anyone see anything wrong with the syntax of the query?
Not concerned with the sql syntax as much as I am
Btw cfqueryparam id not actually there to protect against sql injection,
rather it is for paramatising queries to create execution plans for better
performance.
You can validate data in various ways before using in your query to achieve
the same result, such as cfparam, which will sometimes be
Protecting against sql injection also requires more than simply validating
datatypes, relying on cfqueryparam to do this will only protect you from
the basic drive by injections that rely on numeric fields accepting
strings, not advanced injections which can be done on any text field.
This
Sadly I cannot provide any links as proof, so I wont argue with you, but I
am sure I have seen someone on this list provide some advanced sql
injection examples that got through cfqueryparam
On Tue, Mar 5, 2013 at 9:50 PM, Dave Watts dwa...@figleaf.com wrote:
Protecting against sql
Sadly I cannot provide any links as proof, so I wont argue with you, but I
am sure I have seen someone on this list provide some advanced sql
injection examples that got through cfqueryparam
The only way for this to be possible is to do something with the data
in your SQL after receiving the
I'd have to agree with Dave.
The only time I've seen an issue (with cfqueryparam) was with something
like a sql string generated based on say a search form and then that being
passed to a stored procedure that executes the statement in the procedure.
Not to say it's impossible, for there are
22 matches
Mail list logo